Offline JWT Validation with Go

Offline JWT Validation with Go

How to validate a JSON Web Token with Go

Florian von Bock

Hi Phillip!

There is a high severity bug in jwt-go (CVE assigned:… )

It is discussed on the ticket here:…

As the original author/maintainer seems to not be active on the project a couple of fork/fixes have been made. See the ticket for those and/or alternative JWT implementations.


Joël Franusic

Hi Florian,

Thanks for bringing this up. I haven’t yet tested this, but I believe that Phillip’s example would address this particular CVE since he manually verifies the “aud” claim:

else if token.Claims.(jwt.MapClaims)[“aud”] != “api://default” {
errorMessage = “Invalid aud”

I’m going to look into testing this to be sure, of course. However, at first glance, it seems like Phillip’s code is okay in regards to this specific CVE.